Bug #34587 Creating a view inside a stored procedure leads to a server crash
Submitted: 15 Feb 2008 11:56 Modified: 15 Mar 2008 12:03
Reporter: Davi Arnaut
Status: Closed
Category:Server: SP Severity:S3 (Non-critical)
Version:5.1+ OS:Any
Assigned to: Davi Arnaut Target Version:
Triage: D1 (Critical)

[15 Feb 2008 11:56] Davi Arnaut 
Description:
Creating views inside a stored procedure may lead to invalid (freed) memory access. The
problem is that the SELECT of a CREATE VIEW statement it's not being properly allocated
within the memory root of the stored procedure.

How to repeat:
delimiter |;
create procedure p()
begin
  declare continue handler for sqlexception begin end;
  create view a as select 1;
end|
delimiter ;|
call p();
call p();
drop procedure p;

Suggested fix:
If creating a view inside a stored procedure, allocate the SELECT part of a CREATE VIEW
statement within the memory root of the stored procedure.
[15 Feb 2008 12:41] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/42344

ChangeSet@1.2552, 2008-02-15 09:40:55-02:00, davi@mysql.com +5 -0
  Bug#34587 Creating a view inside a stored procedure leads to a server crash
  
  The problem is that when a stored procedure is being parsed for
  the first execution, the body is copied to a temporary buffer
  which is disregarded sometime after the statement is parsed.
  And during this parsing phase, the rule for CREATE VIEW was
  holding a reference to the string being parsed for use during
  the execution of the CREATE VIEW statement, leading to invalid
  memory access later.
  
  The solution is to allocate and copy the SELECT of a CREATE
  VIEW statement using the thread memory root, which is set to
  the permanent arena of the stored procedure.
[20 Feb 2008 15:45] Konstantin Osipov 
Approved by email.
[20 Feb 2008 21:27] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/42699

ChangeSet@1.2552, 2008-02-20 17:26:50-03:00, davi@mysql.com +5 -0
  Bug#34587 Creating a view inside a stored procedure leads to a server crash
  
  The problem is that when a stored procedure is being parsed for
  the first execution, the body is copied to a temporary buffer
  which is disregarded sometime after the statement is parsed.
  And during this parsing phase, the rule for CREATE VIEW was
  holding a reference to the string being parsed for use during
  the execution of the CREATE VIEW statement, leading to invalid
  memory access later.
  
  The solution is to allocate and copy the SELECT of a CREATE
  VIEW statement using the thread memory root, which is set to
  the permanent arena of the stored procedure.
[20 Feb 2008 21:30] Davi Arnaut 
Queued in 5.1-runtime
[3 Mar 2008 19:19] Bugs System 
Pushed into 5.1.24-rc
[3 Mar 2008 19:20] Bugs System 
Pushed into 6.0.5-alpha
[15 Mar 2008 12:03] Jon Stephens 
Documented bugfix in the 5.1.24 and 6.0.5 changelogs as follows:

        Creating a view inside a stored procedure could lead to a crash of the
        MySQL Server.
[2 Apr 2008 21:58] Jon Stephens 
Also noted in the 5.1.23-ndb-6.3.11 changelog.